The team at the research firm Sucuri announced a serious vulnerability to W3TC and WP Super Cache this afternoon. (Update: it appears the vulnerability was first reported on WordPress.org about a month ago.) The vulnerability allows remote PHP code to be executed locally on a server for anyone running either of the two most popular WordPress caching plugins. This is a serious vulnerability as it could allow an attacker to execute code on your server.

Here are the versions of each plugin that are vulnerable:

W3 Total Cache (version 0.9.2.8 and below are vulnerable,
version 0.9.2.9 and up are not vulnerable) / upgrade
here

WP Super Cache (version 1.2 and below are vulnerable, version
1.3.x and up are not vulnerable) / upgrade
here

As a precaution, CloudFlare has applied a rule to our network which protects against this specific vulnerability in both plugins. The protection is applied for all CloudFlare accounts automatically, even free accounts. You do not need to do anything to enable the protection.

Technical Details

The attack takes advantage of several functions in these plugins including: mfunc, mclude, and dynamic-cached-content. An attacker can execute a PHP command running on the server by pasting a comment to a WordPress blog running a vulnerable version of W3 Total Cache or WP Super Cache. For example, if you are running a vulnerable version of the plugins, the following will result in your current PHP version being printed in the comment:

<!--mfunc echo PHP_VERSION; --><!--/mfunc-->

While this is harmless, the same mfunc call in either plugin can run other arbitrary commands on your server. This could be used to gain access to the server, execute arbitrary database commands, or remotely install malware. Again, this is a very severe vulnerability and all W3TC and W3 Super Cache users should upgrade immediately (W3TC Upgrade / WP Super Cache Upgrade).

Over 25% of all websites use WordPress, and over 10% of all internet traffic flows through CloudFlare; WordPress + CloudFlare has always been a winning combination, and now with CloudFlare’s new WordPress plugin, it's easier than ever to make your site 60% faster....

Recently, a new brute force attack method for WordPress instances was identified by Sucuri. This latest technique allows attackers to try a large number of WordPress username and password login combinations in a single HTTP request....